13.12 Policy on Use of Social Security Numbers

Purpose

To establish policy with regard to the University’s collection, maintenance, and distribution of Social Security Numbers (SSNs); and to ensure compliance with both the letter and the spirit of the Family Educational Rights and Privacy Act and the Privacy Act of 1974.

Policy Statement

This policy mandates a migration away from the use of the Social Security number as a common identifier at UNI.

Policy objectives include campus-wide awareness of the confidential nature of Social Security Number; a consistent policy towards and use of Social Security Numbers; and increased confidence by students, faculty and staff that Social Security Numbers are handled in a confidential manner.

The University is committed to ensuring the privacy and proper handling of SSNs and other confidential information that it collects and maintains from students, faculty, staff, and other individuals associated with the University.

Procedure

A unique identification number shall be assigned to all students, employees, and other individuals associated with the University. This University ID shall be assigned at the earliest possible point of contact between the individual and the University. The ID shall be used as the campus ID Card identifier and shall be used in all future electronic systems and on paper documents to identify, track, and to provide service to individuals associated with the University. It shall be permanently associated with the individual to whom it is originally assigned. The ID shall be jointly maintained and administered by the Registrar, Department of Residence and Information Technology Services (ITS).

Personal information shall not be publicly posted or displayed in a manner where either the University ID or the Social Security Number identifies the individual associated with the information.

When Social Security Numbers are electronically transmitted on the “open” University network it shall be done only through encrypted mechanisms.

All documents (paper and electronic) and any storage media containing Social Security Numbers shall be disposed of in a timely and secure fashion consistent with the UNI record keeping policy.

Except in those cases where the University is required to collect a Social Security number, individuals shall not be required to provide their Social Security number, verbally or in writing, at any point of service, nor shall they be denied access to those services should they refuse to provide a Social Security Number. Individuals may volunteer their Social Security number if they wish, however, as an alternate means of locating a record.

The University shall release Social Security Numbers to entities outside the University (contractors, vendors, service providers) as allowed by law or when the individual grants such permission. University contracts with outside entities shall include, if relevant, language identifying the responsibility and restrictions on use of Social Security Numbers by the third party.

Social Security Numbers may continue to be stored as a confidential attribute associated with an individual. The Social Security Number shall be used as allowed by law; and as an optional key to identify individuals for whom an ID is not known.

The University division of Administration and Finance shall assign to an existing administrator the responsibility of overseeing Social Security Number usage as it relates to employees and other individuals (anyone other than students, prospective students, parents, and alumni) associated with the university. The division of Educational and Student Services shall assign to an existing administrator the responsibility of overseeing Social Security Number usage as it relates to students, prospective students, parents and alumni.

Each Social Security Number Administrator shall have the responsibility to:

Coordinate communications to faculty, staff, and students concerning their rights and responsibilities with regard to the collection, maintenance, and distribution of Social Security Numbers

Oversee the implementation and adherence to UNI’s SSN policy

Provide support and guidance for offices working with Social Security Numbers

Consult with the University Operations Auditor when an opinion on the release or exchange of Social Security Numbers is required

Authorize the use of Social Security Numbers in new systems, as appropriate

Maintain a list of entities (contractors, vendors, service providers), approved by the University Operations Auditor, to which Social Security Numbers may be released

Maintain a set of standard disclosure statements, approved by the University Operations Auditor, for use on University forms and documents that collect Social Security Numbers.

All University forms and documents that request Social Security Numbers shall include an approved disclosure statement, and shall indicate whether the request is voluntary or mandatory. Existing forms and documents shall be modified as they are reprinted. Approved statements shall be available through the Social Security Number Administrators.

All new University contracts with service providers and vendors shall include verbiage, provided by the University Operations Auditor, every time in which SSN is involved. This language shall identify the responsibility and restrictions on use of Social Security Numbers by that third party. Approved statements are available through the Social Security Number Administrators.

Information Technology Services (ITS), in conjunction with the Social Security Number Administrators and Division Technology Coordinators shall develop a set of standards and guidelines addressing the handling of Social Security Numbers in electronic systems. Adherence to these guidelines in all future development shall be considered a requirement of this policy statement.

Compliance with this policy shall be attained through a phased approach. The goal is to attain complete compliance with this policy within 3 years of its adoption.

The Associate Vice President for Information Technology Services shall be responsible for monitoring compliance with this policy.

An employee or student who knowingly violates this policy and/or in any way breaches the confidentiality of Social Security Numbers may be subject to appropriate disciplinary action or sanctions.